Add support for the credProps extension

examples/ctap2.rs

@@ -176,12 +176,8 @@ fn main() {
         }],
         user_verification_req: UserVerificationRequirement::Preferred,
         resident_key_req: ResidentKeyRequirement::Discouraged,
-        extensions: MakeCredentialsExtensions {
-            hmac_secret: if matches.opt_present("hmac_secret") {
-                Some(true)
-            } else {
-                None
-            },
+        extensions: AuthenticationExtensionsClientInputs {
+            cred_props: Some(true),
             ..Default::default()
         },
         pin: None,

examples/ctap2_discoverable_creds.rs

@@ -6,8 +6,9 @@ use authenticator::{
     authenticatorservice::{AuthenticatorService, RegisterArgs, SignArgs},
     crypto::COSEAlgorithm,
     ctap2::server::{
-        PublicKeyCredentialDescriptor, PublicKeyCredentialParameters, RelyingParty,
-        ResidentKeyRequirement, Transport, User, UserVerificationRequirement,
+        AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptor,
+        PublicKeyCredentialParameters, RelyingParty, ResidentKeyRequirement, Transport, User,
+        UserVerificationRequirement,
     },
     statecallback::StateCallback,
     Pin, StatusPinUv, StatusUpdate,
@@ -132,7 +133,10 @@ fn register_user(manager: &mut AuthenticatorService, username: &str, timeout_ms:
         }],
         user_verification_req: UserVerificationRequirement::Required,
         resident_key_req: ResidentKeyRequirement::Required,
-        extensions: Default::default(),
+        extensions: AuthenticationExtensionsClientInputs {
+            cred_props: Some(true),
+            ..Default::default()
+        },
         pin: None,
         use_ctap1_fallback: false,
     };

examples/test_exclude_list.rs

@@ -3,7 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 use authenticator::{
-    authenticatorservice::{AuthenticatorService, GetAssertionExtensions, RegisterArgs, SignArgs},
+    authenticatorservice::{AuthenticatorService, RegisterArgs, SignArgs},
     crypto::COSEAlgorithm,
     ctap2::commands::StatusCode,
     ctap2::server::{
@@ -220,7 +220,7 @@ fn main() {
         origin,
         relying_party_id: "example.com".to_string(),
         allow_list: vec![],
-        extensions: GetAssertionExtensions::default(),
+        extensions: Default::default(),
         pin: None,
         alternate_rp_id: None,
         use_ctap1_fallback: false,

src/authenticatorservice.rs

@@ -4,8 +4,9 @@
 
 use crate::ctap2::commands::client_pin::Pin;
 use crate::ctap2::server::{
-    AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptor, PublicKeyCredentialParameters, RelyingParty,
-    ResidentKeyRequirement, User, UserVerificationRequirement,
+    AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptor,
+    PublicKeyCredentialParameters, RelyingParty, ResidentKeyRequirement, User,
+    UserVerificationRequirement,
 };
 use crate::errors::*;
 use crate::manager::Manager;

src/ctap2/commands/make_credentials.rs

@@ -232,6 +232,8 @@ pub struct MakeCredentialsExtensions {
     pub pin_min_length: Option<bool>,
     #[serde(rename = "hmac-secret", skip_serializing_if = "Option::is_none")]
     pub hmac_secret: Option<bool>,
+    #[serde(skip_serializing)]
+    pub cred_props: Option<bool>,
 }
 
 impl MakeCredentialsExtensions {
@@ -241,8 +243,11 @@ impl MakeCredentialsExtensions {
 }
 
 impl From<AuthenticationExtensionsClientInputs> for MakeCredentialsExtensions {
-    fn from(_input: AuthenticationExtensionsClientInputs) -> Self {
-        Default::default()
+    fn from(input: AuthenticationExtensionsClientInputs) -> Self {
+        Self {
+            cred_props: input.cred_props,
+            ..Default::default()
+        }
     }
 }
 
@@ -293,6 +298,17 @@ impl MakeCredentials {
 
     pub fn finalize_result(&self, result: &mut MakeCredentialsResult) {
         // Handle extensions whose outputs are not encoded in the authenticator data.
+        // 1. credProps
+        //      "set clientExtensionResults["credProps"]["rk"] to the value of the
+        //      requireResidentKey parameter that was used in the invocation of the
+        //      authenticatorMakeCredential operation."
+        if self.extensions.cred_props == Some(true) {
+            result
+                .extensions
+                .cred_props
+                .get_or_insert(Default::default())
+                .rk = self.options.resident_key.unwrap_or(false);
+        }
     }
 }
 

src/ctap2/server.rs

@@ -329,11 +329,20 @@ pub enum UserVerificationRequirement {
     Required,
 }
 
-#[derive(Copy, Clone, Debug)]
-pub struct AuthenticationExtensionsClientInputs;
+#[derive(Clone, Debug, Default)]
+pub struct AuthenticationExtensionsClientInputs {
+    pub cred_props: Option<bool>,
+}
 
 #[derive(Clone, Debug, Default, Eq, PartialEq)]
-pub struct AuthenticationExtensionsClientOutputs;
+pub struct CredentialProperties {
+    pub rk: bool,
+}
+
+#[derive(Clone, Debug, Default, Eq, PartialEq)]
+pub struct AuthenticationExtensionsClientOutputs {
+    pub cred_props: Option<CredentialProperties>,
+}
 
 #[cfg(test)]
 mod test {